Status of haproxy 1.5 tproxy of ipv6

[Delta Yeh]

Hi,
   When use ipv4, tproxy (both clientip and hdr_ip) works OK, but it seems
that
hdr_ip does not work  with ipv6?

BR,
DeltaY

Re: Debian/Ubuntu packages for HAProxy

[Ramin K]

On 6/6/2013 12:08 AM, Vincent Bernat wrote:

Hi!

If you want to use prebuilt packages for HAProxy for Debian or Ubuntu,
here is what is available:

If you want HAProxy 1.4:

  1. For Debian Sid (unstable) and Debian Jessie (testing), just "apt-get
 install haproxy".

  2. For Debian Wheezy (stable), "apt-get install haproxy -t
 wheezy-backports". See instructions here for adding the appropriate
 repository:
 http://backports.debian.org/Instructions/

  3. For Debian Squeeze (old-stable), "apt-get install haproxy -t
 squeeze-backports-sloppy". See instructions here for adding the
 appropriate repository:
 http://backports.debian.org/Instructions/

  4. For Ubuntu Precise (12.04) or Ubuntu Lucid (10.04), you can use the
 following PPA:
 https://launchpad.net/~vbernat/+archive/haproxy-1.4

  5. For Ubuntu Saucy (13.10), "apt-get install haproxy".

If you want HAProxy 1.5:

  1. For Debian Sid (unstable), you need to enable Debian experimental
 repositories and "apt-get install haproxy -t experimental".

  2. For other versions of Debian, we don't have a solution yet but it is
 expected to come in the next couple of months once Debian setups its
 own PPA solution.

  3. For Ubuntu Precise (12.04) or Ubuntu Lucid (10.04), you can use the
 following PPA:
 https://launchpad.net/~vbernat/+archive/haproxy-1.5

For problems with Debian packages, you can use reportbug to report
them. For Ubuntu packages, since they are not official, either contact
me or post on this list. Be sure to enable haproxy to start by looking
at /etc/default/haproxy and put something sensible in
/etc/haproxy/haproxy.cfg.

Currently, those packages have received little testing. Be careful when
using them.



Thanks for posting this. Nice to see the packaging move forward and that 
socket in the chroot trick for rsyslog is very slick.


Ramin

RE: Whitespace in external ACL file triggers parsing error

[Lukas Tribus]

Hi Slawek,


> if you consider that white spaces are not visible for human eyes (at
> least not in default editor view) - therefore it is very easy to make
> errors.

True, but we are not talking about a configuration file, its a pattern
file, which by definition should be as exact as possible. When writing
them (or generating them from other data via scripts, etc), you need to be
careful anyway and sanitize everything (192.168.1.257 will also fail).

Its not like HAProxy silently fails to match those IP addresses (that would
be really bad), but it refuses to start and prints a warning.

I think the idea behind loading the ACL from a file is to feed it with data
automatically (via scripts, rsync, etc). If thats the case, then your data
is probably sanitized elsewhere anyway.


(I do realize that you lost some time to find out about the trailing space
in your pattern file, I just think the feedback in such a case from HAProxy
*1.5* is good enough).



> you are allowed to put space character in front of the IP.

>From this point of view it does seem inconsistent; but I would rather see it
like this: the behavior is undefined when you have leading and/or trailing
whitespaces in a pattern.

I do not think the parser job should be to workaround every possible
whitespace issue in the pattern definitions - this may does more harm
then good.

Aborting on inaccurate/incomplete or bogus patterns is a good thing,
because it helps us to spot an error before starting HAProxy (without the
need of a hardcore troubleshooting session at 03 o'clock in the morning
to understand why the new ACL pattern we rushed to the production boxes
doesn't stop the latest HTTP exploit (consider this in combination with the
behavior before and after commit 588bd4f81 "[BUG] http: trailing white
spaces must also be trimmed after headers"). I like such things to be as
strict as possible for that reason.

That being said, to make this fully consistent I would rather not allow
leading white spaces anymore ;)

If we maintain current behavior, I believe we can do a better at least in
the documentation: we talk about leading spaces and tabs, but leave
trailing spaces up to imagination. Lets be as clear as possible in the
docs.


This are my two cents as a HAProxy user, I guess it would be good to hear
some more opinions from other users and Willy himself?


Cheers,
Lukas 

Re: Question about HTTP load balancing using HAProxy

[Ali Majdzadeh]

Jonathan,
Thanks a lot for your comments . Actually, the problem I currently face is
how to provide maximum reliability (if this word is applies) in terms of
http load balancing. Well, I definitely understand your constraints
regarding professional consultancy and thank you again for your valuable
comments. I will investigate more on the issue and hope to find a proper
solution; being a technical approach or just as you suggested, a statement
of non-applicability.
Thanks in advance.

Ali
 On Jun 7, 2013 12:23 AM, "Jonathan Matthews" 
wrote:

> On 4 June 2013 09:09, Ali Majdzadeh  wrote:
> >
> > Jonathan, Lukas
> > Thanks for your valuable comments. Would you please indicate some of
> those moving parts that could fail during a single download, Jonathan?
>
> Sorry Ali, I don't think that's appropriate to the HAProxy mailing
> list. Other people may help you with this, but it's too close to my
> usual job for me to spend time on, on the wrong list. Contact me
> professionally off-list if you like.
>
> > From Lukas comments, I realized that at least some parts of the problem
> are related to the client agent, is that right? I mean, for example, being
> the primary server failed, if the client agent retries the download
> request, HAProxy can proxy the new request to the other back-end server and
> download continues from where it was interrupted, is this conclusion
> correct?
>
> That probably won't happen. You'll need explicit support on both
> client and server for HTTP Range requests, which I'm not sure you'll
> get if you're just exposing download links and expecting a user to
> re-click after a failed download. Check out
> http://zoompf.com/2010/03/performance-tip-for-http-downloads for some
> more information on this.
>
> Regards,
> Jonathan
> --
> Jonathan Matthews // Oxford, London, UK
> http://www.jpluscplusm.com/contact.html
>
>

Re: Whitespace in external ACL file triggers parsing error

[slaweuk]

On 5 Jun 2013, at 18:55, Lukas Tribus  wrote:
> 
> Correct, because a trailing space is - like every space or tab other than
> the leading ones - part of the pattern and since a valid IP Address has
> no spaces in it, the ACL is invalid.
> 
> HAProxy 1.5 returns a more obvious error:
> 
>[ALERT] 155/194203 (3339) : parsing [../haproxy.cfg:50] : error detected 
> while parsing ACL 'whitelist' : '192.168.1.2 ' is not a valid IPv4 or IPv6 
> address.
> 

Hi Lukas,

Thanks for your response.

Sure, if you explicitly consider whole line it definitively won't pass the 
validation.

However, I'm still having difficulty understanding the reasons behind this? Why 
not to sanitise white spaces during config parsing? 

Especially, if you consider that white spaces are not visible for human eyes 
(at least not in default editor view) - therefore it is very easy to make 
errors.

As well, if you consider that:

- you are not allowed to put multiple IPs in single line,
- you are allowed to put space character in front of the IP.

I still feel that this is rather unintentional behaviour.

Kind Regards
Slawek

Re: Question about HTTP load balancing using HAProxy

[Jonathan Matthews]

On 4 June 2013 09:09, Ali Majdzadeh  wrote:
>
> Jonathan, Lukas
> Thanks for your valuable comments. Would you please indicate some of those 
> moving parts that could fail during a single download, Jonathan?

Sorry Ali, I don't think that's appropriate to the HAProxy mailing
list. Other people may help you with this, but it's too close to my
usual job for me to spend time on, on the wrong list. Contact me
professionally off-list if you like.

> From Lukas comments, I realized that at least some parts of the problem are 
> related to the client agent, is that right? I mean, for example, being the 
> primary server failed, if the client agent retries the download request, 
> HAProxy can proxy the new request to the other back-end server and download 
> continues from where it was interrupted, is this conclusion correct?

That probably won't happen. You'll need explicit support on both
client and server for HTTP Range requests, which I'm not sure you'll
get if you're just exposing download links and expecting a user to
re-click after a failed download. Check out
http://zoompf.com/2010/03/performance-tip-for-http-downloads for some
more information on this.

Regards,
Jonathan
--
Jonathan Matthews // Oxford, London, UK
http://www.jpluscplusm.com/contact.html

Re: Multiprocess stats?

[Stephanie Jackson]

Hi Lukas,

On 2013-06-03, at 7:13 PM, Lukas Tribus wrote:

> Hi Stephanie,
> 
> 
>> We're currently using haproxy with 8 processes. Is there any way to get
>> combined stats for all processes?
> 
> No, there isn't.
> 
> 
>> Is there a way to set it up to report on each process and combine them
>> outside of haproxy?
> 
> You should be able to bind each stats socket to a single process and
> collect them one after another. Look at configuration options like "stats
> bind-process", etc [1].
> 


I don't see a way to do this.  If I try to set up multiple sockets, and then 
bind to them, it only binds one stat process.

As an example, from our config:


stats   socket /var/run/haproxy.sock mode 777 level admin
stats   bind-process 1
stats   socket /var/run/haproxy2.sock mode 777 level admin
statsbind-process 2


But:

[root@elb1 ~]# echo 'show info' | socat unix-connect:/var/run/haproxy.sock stdio
Name: HAProxy
Version: 1.5-dev18
Release_date: 2013/04/03
Nbproc: 8
Process_num: 2

[root@elb1 ~]# echo 'show info' | socat unix-connect:/var/run/haproxy2.sock 
stdio
Name: HAProxy
Version: 1.5-dev18
Release_date: 2013/04/03
Nbproc: 8
Process_num: 2

I've done a bunch of googling and haven't found the solution.  Putting the 
bind-process as part of the socket creation causes haproxy to fail its config 
check.

Thanks!

[PATCH] DOC: examples: provide simplified ssl configuration

[Lukas Tribus]

Hi!

Heres a patch to provide a simple example ssl configuration we could add to
examples/*:

DOC: examples: provide simplified ssl configuration

Provides a minimalistic ssl configuration example - no details because
they belong to doc/*.



Let me know what you think.


Regards,
Lukas 

0001-DOC-examples-provide-simplified-ssl-configuration.patch
Description: Binary data

RE: HAProxy latest on SSL

[Lukas Tribus]

Hi Daniel,


You should be able to find everything in doc/configuration.txt (or online
at [1], [2], [3]). If thats not the case, then we need to fix the docs :)

However I agree a good example is can be very useful. Perhaps we should
include this config in examples/* ...

Anyway, here we go:

global
 maxconn 100
defaults
 mode http
 timeout connect 5s
 timeout client 30s
 timeout server 30s
frontend myfrontend
 # primary cert is /home/lukas/cert/server.pem (may be a wildcard cert)
 # /home/lukas/cert/certdir/ contains additional certificates for SNI clients
 bind :443 ssl crt /home/lukas/cert/server.pem crt /home/lukas/cert/certdir/
 bind :80
 default_backend mybackend
backend mybackend
 # a http backend
 server s3 10.0.0.3:80
 # a https backend
 server s4 10.0.0.3:443 ssl



Also, when something doesn't work as expected, try with the latest snapshot
at [4] (or clone from git). v1.5 is still in development and bug fixes are
committed regularly.


Regards,
Lukas


[1] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5-crt
[2] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-ssl
[3] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2-ssl
[4] http://haproxy.1wt.eu/download/1.5/src/snapshot/
  

Re: Debian/Ubuntu packages for HAProxy

[Vincent Bernat]

 ❦  6 juin 2013 10:55 CEST, Willy Tarreau  :

> Thank you very much for this work, I'm sure this will be appreciated a lot
> and will improve user experience by definitely getting rid of the old bogus
> versions.

BTW, I am not alone on this. Debian packages are also maintained by
Apollon Oikonomopoulos and Prach Pongpanich.
-- 
 /* Identify the flock of penguins.  */
2.2.16 /usr/src/linux/arch/alpha/kernel/setup.c

HAProxy latest on SSL

[Daniel Storjordet]

Hi.

I am a little confused by all the different examples of HAProxy with SSL.
Are a lot of the examples outdated and does not work with latest version?

Could any of you reference me to a clean confuguration example that:

o Supports regular and SSL traffic with same backend.
o Selects a folder with certificates to be used.
o Supports both wildcard and regular SSL certificates in that folder.


Thanks.

Daniel Storjordet
Destino AS

Haproxy equivalent of Apache mod_rewrite RewriteMap

[Sachin Shetty]

Hi,

We use RewriteMap extensively in Apache to look up an external service on
the header host to determine which downstream pool we want to use:

Something like this in apache:
RewriteMap d2u prg:/www/bin/dash2under.pl
RewriteRule - ${d2u:%{HOST}}
Is there a way to do this in haproxy? i.e lookup  for a backend pool name
based on a header and then route the request to the backend. Please note
that we cannot simply hash the requests to any backend since specific
requests can only be handled by specific pools.
Thanks
Sachin

Re: Debian/Ubuntu packages for HAProxy

[Willy Tarreau]

Hi Vincent,

On Thu, Jun 06, 2013 at 09:08:30AM +0200, Vincent Bernat wrote:
> Hi!
> 
> If you want to use prebuilt packages for HAProxy for Debian or Ubuntu,
> here is what is available:
> 
> If you want HAProxy 1.4:
> 
>  1. For Debian Sid (unstable) and Debian Jessie (testing), just "apt-get
> install haproxy".
> 
>  2. For Debian Wheezy (stable), "apt-get install haproxy -t
> wheezy-backports". See instructions here for adding the appropriate
> repository:
> http://backports.debian.org/Instructions/
> 
>  3. For Debian Squeeze (old-stable), "apt-get install haproxy -t
> squeeze-backports-sloppy". See instructions here for adding the
> appropriate repository:
> http://backports.debian.org/Instructions/
> 
>  4. For Ubuntu Precise (12.04) or Ubuntu Lucid (10.04), you can use the
> following PPA:
> https://launchpad.net/~vbernat/+archive/haproxy-1.4
> 
>  5. For Ubuntu Saucy (13.10), "apt-get install haproxy".
> 
> If you want HAProxy 1.5:
> 
>  1. For Debian Sid (unstable), you need to enable Debian experimental
> repositories and "apt-get install haproxy -t experimental".
> 
>  2. For other versions of Debian, we don't have a solution yet but it is
> expected to come in the next couple of months once Debian setups its
> own PPA solution.
> 
>  3. For Ubuntu Precise (12.04) or Ubuntu Lucid (10.04), you can use the
> following PPA:
> https://launchpad.net/~vbernat/+archive/haproxy-1.5
> 
> For problems with Debian packages, you can use reportbug to report
> them. For Ubuntu packages, since they are not official, either contact
> me or post on this list. Be sure to enable haproxy to start by looking
> at /etc/default/haproxy and put something sensible in
> /etc/haproxy/haproxy.cfg.
> 
> Currently, those packages have received little testing. Be careful when
> using them.

Thank you very much for this work, I'm sure this will be appreciated a lot
and will improve user experience by definitely getting rid of the old bogus
versions.

Best regards,
Willy

Debian/Ubuntu packages for HAProxy

[Vincent Bernat]

Hi!

If you want to use prebuilt packages for HAProxy for Debian or Ubuntu,
here is what is available:

If you want HAProxy 1.4:

 1. For Debian Sid (unstable) and Debian Jessie (testing), just "apt-get
install haproxy".

 2. For Debian Wheezy (stable), "apt-get install haproxy -t
wheezy-backports". See instructions here for adding the appropriate
repository:
http://backports.debian.org/Instructions/

 3. For Debian Squeeze (old-stable), "apt-get install haproxy -t
squeeze-backports-sloppy". See instructions here for adding the
appropriate repository:
http://backports.debian.org/Instructions/

 4. For Ubuntu Precise (12.04) or Ubuntu Lucid (10.04), you can use the
following PPA:
https://launchpad.net/~vbernat/+archive/haproxy-1.4

 5. For Ubuntu Saucy (13.10), "apt-get install haproxy".

If you want HAProxy 1.5:

 1. For Debian Sid (unstable), you need to enable Debian experimental
repositories and "apt-get install haproxy -t experimental".

 2. For other versions of Debian, we don't have a solution yet but it is
expected to come in the next couple of months once Debian setups its
own PPA solution.

 3. For Ubuntu Precise (12.04) or Ubuntu Lucid (10.04), you can use the
following PPA:
https://launchpad.net/~vbernat/+archive/haproxy-1.5

For problems with Debian packages, you can use reportbug to report
them. For Ubuntu packages, since they are not official, either contact
me or post on this list. Be sure to enable haproxy to start by looking
at /etc/default/haproxy and put something sensible in
/etc/haproxy/haproxy.cfg.

Currently, those packages have received little testing. Be careful when
using them.
-- 
Make sure input cannot violate the limits of the program.
- The Elements of Programming Style (Kernighan & Plauger)